Cyber Incident Victim: Região Norte
Date:
Sep 2023
Location:
Portugal
Summary
A cyberattack targeted a Portuguese municipality, described as the largest on a public institution in the country, causing extensive operational disruption and requiring €1.5 million in recovery investments. The ransomware incident encrypted data and led to prolonged downtime, with services expected to normalize months later; 90% of 900 affected computers were restored after disk replacements and system reinstalls, though some online services remained inoperable. Attackers infiltrated systems via a Russian server, demanding €750,000, which was not paid due to legal constraints and official advisories. Stolen sensitive data, including citizen IDs and financial records, was leaked on the dark web, forcing a temporary return to paper-based operations while authorities investigate the intrusion’s duration and motives.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The cyberattack on Gondomar town hall began in the early hours of September 27, 2023, with an alert triggered at 05:38. Authorities identified it as the largest cyberattack on a Portuguese public institution to date, according to the National Cybersecurity Centre's assessment relayed by Mayor Marco Martins. The intrusion encrypted municipal data, prompting a ransom demand of €750,000 from attackers operating through a Russian server. The council refused payment based on three factors: explicit advice from authorities, lack of guarantee for data recovery, and legal prohibitions against using public funds for ransom without a tender process. Immediate response efforts involved contracting a private company affiliated with the Altice group to decrypt and restore systems, though services remained partially disrupted through a parallel processing system. Initial restoration costs reached €1.4-1.5 million, covering 700 new storage discs, security reinforcements, and recovery services. Technical teams worked to rebuild 900 network computers by replacing hardware and reinstalling operating systems and applications, achieving 90% operational status by the time of reporting. Full normalization of services was projected for late December 2023.
The attack caused extensive operational paralysis, forcing a return to paper-based processes across municipal departments. Hackers exfiltrated and published sensitive data on the dark web, including citizen identification documents, passports, and internal investment records. Mayor Martins acknowledged unconfirmed reports of attacker infiltration persisting for over a year prior to the breach, though he emphasized the system's prior robustness against average monthly attacks. The incident marked the inaugural activation of Gondomar's Municipal Relief Operations Centre—a facility designed for natural disasters—for a cybersecurity crisis. Financial impacts extended beyond direct restoration costs to include unspecified "many millions" in cumulative losses from prolonged downtime affecting public services and resident projects. An external audit initiated in October aimed to determine responsibility for security lapses, while authorities continued investigating indications that the primary attack motive was disruption rather than financial extortion or data theft. No final forensic report had been issued at the time of disclosure.